Trust, Mistrust and Consumer Information

Tuesday Jan 27th 2004 by Drew Robb

Share:

Trust, Mistrust and Consumer Information

Recent Harris Interactive surveys reveal that most customers still do not trust companies to handle their personal information responsibly. Reflecting consumer mistrust, several governmental regulations have emerged to legislate security and build consumer trust.

The laws are complex, demanding stiff fines and jail time for offending executives. This article, therefore, gives an overview of the regulations and describes the challenges and opportunities facing storage and IT managers.

Gramm-Leach-Bliley Act

Enacted by the U.S. Federal government in 1999, this act applies only to financial institutions. It covers security for customer private information.

"1386" went into effect in July 2003 and applies to companies doing business in California and all companies holding personal information of California residents. A customer can bring civil suit for damages.

Requires: Disclosure of any security breach in which unencrypted personal information might have been acquired by an unauthorized person; procedures to identify and contact persons affected; due diligence in protecting customer information from unauthorized access. There is no definition of the level of encryption.

Enacted by the US Federal Government in 2002 in response to corporate financial scandals, this act applies to all publicly held companies in the U.S. that have more than $75 million equity market capitalization and that report quarterly to the Securities and Exchange Commission (SEC). It covers financial reporting, auditing practices and associated document retention. Holding CEOs and CFOs directly responsible, this act has a major effect on U.S. corporations and already sent one executive to jail. This act does not directly regulate consumer privacy, but it has important Storage and IT implications. Requires: Save all documentation used for financial reports and audits; save transactions and meeting minutes; retain data for 5 years; locate and recover documents in a few days.

The SEC has expanded Rule 17a that covers exchange member and brokerage house record keeping. Rule 17a now includes all forms of internal and external electronic communication, such as e-mails, instant messages, order tickets, approvals and more. There seems to be nothing in writing from the SEC that extends e-mail and IM retention to companies covered under Sarbanes-Oxley, but some experts advise all Sarbanes-Oxley companies to observe the electronic message requirements of Rule 17a .

Requires: Non-rewritable, non-erasable, time stamped, duplicate message storage; third-party download and storage service; fully indexed and searchable messages; data retention for 6 years, with the first two years being in faster storage. "Immediately" provide a copy of any message upon SEC request.

Enacted by Canadian government in 2000, this act is unique because it follows a national privacy standard: the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information. The act covers personal privacy and electronic documents.

Requires: Consent before disclosing personal information; well planned and documented privacy policies made known within the company; levels of information sensitivity and security; data retrieval on demand by customer or law enforcement; data retention only as long as required by law.

While these laws mean a whole lot of overtime for storage professions in the coming years, privacy is actually far more than a legal obligation. As the Harris Interactive Surveys show, it is also good business.

Almost 50 percent of consumers, for example, would buy more frequently and in greater volume from companies known to have more reliable privacy practices. On the other hand, 83 percent would stop doing business entirely with companies that misuse private information. 75 percent mistrust company confidentiality, transaction security and protection against hackers.

The bottom line: Customers want their information kept private. And storage professionals are going to be under more corporate scrutiny than ever as a result of the legislation covered above.